W3cubDocs

/WordPress

hash_equals( string $a, string $b )

Timing attack safe string comparison

Description

Compares two strings using the same time whether they’re equal or not.

This function was added in PHP 5.6.

Note: It can leak the length of a string when arguments of differing length are supplied.

Parameters

$a

(string) (Required) Expected string.

$b

(string) (Required) Actual, user supplied, string.

Return

(bool) Whether strings are equal.

Source

File: wp-includes/compat.php

function hash_equals( $a, $b ) {
		$a_length = strlen( $a );
		if ( $a_length !== strlen( $b ) ) {
			return false;
		}
		$result = 0;

		// Do not attempt to "optimize" this.
		for ( $i = 0; $i < $a_length; $i++ ) {
			$result |= ord( $a[ $i ] ) ^ ord( $b[ $i ] );
		}

		return $result === 0;
	}

Changelog

Version Description
3.9.2 Introduced.

© 2003–2019 WordPress Foundation
Licensed under the GNU GPLv2+ License.
https://developer.wordpress.org/reference/functions/hash_equals